WordPress.org

Make WordPress Core

Ticket #7768: 7768.diff

File 7768.diff, 2.3 KB (added by DD32, 6 years ago)
  • wp-admin/includes/post.php

     
    342342 
    343343        $protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' ); 
    344344 
    345         $metakeyselect = $wpdb->escape( stripslashes( trim( $_POST['metakeyselect'] ) ) ); 
    346         $metakeyinput = $wpdb->escape( stripslashes( trim( $_POST['metakeyinput'] ) ) ); 
    347         $metavalue = maybe_serialize( stripslashes( (trim( $_POST['metavalue'] ) ) )); 
    348         $metavalue = $wpdb->escape( $metavalue ); 
     345        $metakeyselect = stripslashes( trim( $_POST['metakeyselect'] ) ); 
     346        $metakeyinput = stripslashes( trim( $_POST['metakeyinput'] ) ); 
     347        $metavalue = maybe_serialize( stripslashes( trim( $_POST['metavalue'] ) ) ); 
    349348 
    350349        if ( ('0' === $metavalue || !empty ( $metavalue ) ) && ((('#NONE#' != $metakeyselect) && !empty ( $metakeyselect) ) || !empty ( $metakeyinput) ) ) { 
    351350                // We have a key/value pair. If both the select and the 
     
    362361 
    363362                wp_cache_delete($post_ID, 'post_meta'); 
    364363 
    365                 $wpdb->query( $wpdb->prepare("INSERT INTO $wpdb->postmeta 
    366                         (post_id,meta_key,meta_value ) VALUES (%s, %s, %s)", 
    367                         $post_ID, $metakey, $metavalue) ); 
     364                $wpdb->query( $wpdb->prepare("INSERT INTO $wpdb->postmeta (post_id,meta_key,meta_value ) VALUES (%s, %s, %s)", $post_ID, $metakey, $metavalue) ); 
    368365                return $wpdb->insert_id; 
    369366        } 
    370367        return false; 
  • wp-includes/post.php

     
    519519 
    520520        // expected_slashed ($meta_key) 
    521521        $meta_key = stripslashes($meta_key); 
     522        $meta_value = stripslashes($meta_value); 
    522523 
    523524        if ( $unique && $wpdb->get_var( $wpdb->prepare( "SELECT meta_key FROM $wpdb->postmeta WHERE meta_key = %s AND post_id = %d", $meta_key, $post_id ) ) ) 
    524525                return false; 
     
    631632 
    632633        // expected_slashed ($meta_key) 
    633634        $meta_key = stripslashes($meta_key); 
     635        $meta_value = stripslashes($meta_value); 
    634636 
    635637        if ( ! $wpdb->get_var( $wpdb->prepare( "SELECT meta_key FROM $wpdb->postmeta WHERE meta_key = %s AND post_id = %d", $meta_key, $post_id ) ) ) { 
    636638                return add_post_meta($post_id, $meta_key, $meta_value);